New details have emerged regarding Cathay Pacific’s data breach. The main update is that what was previously believed to be unauthorised access to 9.4 million passengers’ personal data was in fact a sustained three-month-long cyberattack.

In a written submission ahead of a joint meeting tomorrow with Hong Kong lawmakers regarding the breach, the airline said it and affected passengers were “victims of a cybercrime carried out by sophisticated attacker(s)” that “were at their most intense in March, April and May but continued thereafter”.

While no new revelations have emerged concerning the specifics of what data was compromised or the number of people that were affected, the airline’s latest submission suggests the event was far more significant than originally thought, and also goes some way to explaining the months-long delay between the detection of the attack, the date that a breach was confirmed, and passengers being informed.

Here’s what we know so far about the attack based on Cathay Pacific’s statements and reported events:

March 2018

  • Cathay Pacific first detects suspicious activity on its network and takes “immediate action to understand the incident and to contain it” employing a “leading global cybersecurity firm”.

April 2018

  • Further attacks. Cathay’s internal and external IT security resources focus on containment and prevention, with remedial activities beginning.

May 2018

  • Further attacks. Towards the end of the month, the number of successful attacks diminishes, though they do continue. “These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” said the airline in its written submission to local legislators.

May-August 2018

  • Cathay attempts to ascertain the extent of passenger data that had been accessed or stolen and whether compromised data could be reconstructed outside of Cathay’s own IT systems.

August-October 2018

  • Cathay investigates what passenger data has been affected in order “to give a single, accurate and meaningful notification to each affected passenger, rather than to provide an overly broad and non-specific notice”.

October 24, 2018

  • Cathay notifies the Privacy Commissioner for Personal Data, the Hong Kong Police and the Hong Kong Stock Exchange of unauthorised access to certain IT systems concerning the personal data of certain passengers in Hong Kong and abroad.
  • Cathay notifies other applicable regulators, and publishes a written statement on its official website.
  • Cathay sets up dedicated website ( and call centre for passengers affected by the breach.

October 25, 2018

  • Affected passengers begin being notified directly by Cathay.
  • Cathay CEO Rupert Hogg delivers video message to customers, offering optional complimentary ID monitoring via IdentityWorks to affected passengers.

November 12, 2018

  • Cathay releases written statement prior to the joint Legislative Council (LegCo) panels meeting on November 14.
  • Cathay says that to date, cybersecurity experts it has employed have found no evidence of compromised data appearing on other websites or on the dark web.
  • As of midnight, 50,271 passengers had enrolled in IdentityWorks, an ID-monitoring system, provided by the airline at no cost.

November 14, 2018

  • Executives at Cathay tell Hong Kong lawmakers the airline is working with 27 regulators in 15 jurisdictions to investigate the attack.
  • Cathay executives reportedly avoid answering lawmakers’ questions regarding whether Cathay will compensate all affected customers, or whether it might incur a fine under new European Union privacy rules.

Were you affected by the data breach? Let us know in our online poll or join the discusssion in our forums.